CVE-2022-50590

SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/	Third Party Advisory
https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6	Release Notes
https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*

History

24 Nov 2025, 19:05

Type	Values Removed	Values Added
References	~~() https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/ -~~	() https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/ - Third Party Advisory
References	~~() https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6 -~~	() https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6 - Release Notes
References	~~() https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality -~~	() https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality - Third Party Advisory
First Time		Salesagility Salesagility suitecrm
CPE		cpe:2.3:a:salesagility:suitecrm::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

06 Nov 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-06 20:15

Updated : 2025-11-24 19:05

NVD link : CVE-2022-50590

Mitre link : CVE-2022-50590

CVE.ORG link : CVE-2022-50590

JSON object : View

Products Affected

salesagility

suitecrm

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2022-50590", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-06T20:15:36.990", "references": [{"url": "https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the\u00a0processing of the \u2018module\u2019 parameter within the \u2018deleteAttachment\u2019 functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator."}], "lastModified": "2025-11-24T19:05:39.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADD22F85-ECD2-455A-9441-636E35C01F1B", "versionEndExcluding": "7.12.6"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}